3 Foreword The Major Incident Investigation Board (MIIB) set up to investigate the Buncefield explosion and fire completed its work in 2008 and published its final report. 1 At that time it was not possible to disclose all the information about the underlying causation upon which many of its recommendations were based as criminal legal proceedings were still in progress. However, now that these proceedings have concluded, this information can be brought together so that everyone in major hazard industries not just those involved in fuel storage can learn from this incident, understand what went wrong, and take away lessons that are relevant to them. Although five years have passed since the incident, the information and advice in this report is still highly relevant today. The explosion and fire at the Buncefield oil storage depot in 2005 was a significant event. As part of the work of the MIIB, the Health and Safety Executive and the Environment Agency, as the Competent Authority in England and Wales for the regulation of major accident hazards, carried out a joint investigation into the cause of the incident. The Competent Authority took action to ensure that those responsible for the incident were held to account in the criminal courts, and I emphasise our determination that, where we think it appropriate, the Competent Authority will continue to take the necessary action to ensure operators of major hazard sites manage them properly. When passing sentence on the defendants at St Albans Crown Court on 16 July 2010, the Judge, the Hon Mr Justice Calvert-Smith, commented that cost cutting per se was not put forward as a major feature of the prosecution case, but the failings had more to do with slackness, inefficiency and a more-or-less complacent approach to matters of safety. I therefore ask all in the major hazard industries to look carefully at your own operations in the light of the management and technical failings that lay behind this incident, and the important developments in the meantime. Since the incident, the Competent Authority, industry and trade unions have worked together to drive forward high standards at fuel storage sites. This has resulted in agreement on improved standards of safety and environmental protection for all UK sites storing large volumes of gasoline and to systematically upgrade sites to meet these standards, with progress monitored by the Competent Authority as part of its regulatory programmes. This work has also established a set of process safety leadership principles for top-level engagement in all businesses involved with significant risks to people and the environment see The Competent Authority has also improved its approach to regulating onshore major hazards in the light of ten years of operating the COMAH regime including incidents such as Buncefield. More information on the Competent Authority s remodelling programme is at Major industrial incidents are thankfully rare and I trust this report will contribute to making them even rarer. Gordon MacDonald Chairman Competent Authority Strategic Management Group 3 of 36 pages

4 Executive summary On the night of Saturday 10 December 2005, Tank 912 at the Hertfordshire Oil Storage Limited (HOSL) part of the Buncefield oil storage depot was filling with petrol. The tank had two forms of level control: a gauge that enabled the employees to monitor the filling operation; and an independent high-level switch (IHLS) which was meant to close down operations automatically if the tank was overfilled. The first gauge stuck and the IHLS was inoperable there was therefore no means to alert the control room staff that the tank was filling to dangerous levels. Eventually large quantities of petrol overflowed from the top of the tank. A vapour cloud formed which ignited causing a massive explosion and a fire that lasted five days. The gauge had stuck intermittently after the tank had been serviced in August However, neither site management nor the contractors who maintained the systems responded effectively to its obvious unreliability. The IHLS needed a padlock to retain its check lever in a working position. However, the switch supplier did not communicate this critical point to the installer and maintenance contractor or the site operator. Because of this lack of understanding, the padlock was not fitted. Having failed to contain the petrol, there was reliance on a bund retaining wall around the tank (secondary containment) and a system of drains and catchment areas (tertiary containment) to ensure that liquids could not be released to the environment. Both forms of containment failed. Pollutants from fuel and firefighting liquids leaked from the bund, flowed off site and entered the groundwater. These containment systems were inadequately designed and maintained. Failures of design and maintenance in both overfill protection systems and liquid containment systems were the technical causes of the initial explosion and the seepage of pollutants to the environment in its aftermath. However, underlying these immediate failings lay root causes based in broader management failings: Management systems in place at HOSL relating to tank filling were both deficient and not properly followed, despite the fact that the systems were independently audited. Pressures on staff had been increasing before the incident. The site was fed by three pipelines, two of which control room staff had little control over in terms of flow rates and timing of receipt. This meant that staff did not have sufficient information easily available to them to manage precisely the storage of incoming fuel. Throughput had increased at the site. This put more pressure on site management and staff and further degraded their ability to monitor the receipt and storage of fuel. The pressure on staff was made worse by a lack of engineering support from Head Office. Cumulatively, these pressures created a culture where keeping the process operating was the primary focus and process safety did not get the attention, resources or priority that it required. 4 of 36 pages

5 This report does not identify any new learning about major accident prevention. Rather it serves to reinforce some important process safety management principles that have been known for some time: There should be a clear understanding of major accident risks and the safety critical equipment and systems designed to control them. This understanding should exist within organisations from the senior management down to the shop floor, and it needs to exist between all organisations involved in supplying, installing, maintaining and operating these controls. There should be systems and a culture in place to detect signals of failure in safety critical equipment and to respond to them quickly and effectively. In this case, there were clear signs that the equipment was not fit for purpose but no one questioned why, or what should be done about it other than ensure a series of temporary fixes. Time and resources for process safety should be made available. The pressures on staff and managers should be understood and managed so that they have the capacity to apply procedures and systems essential for safe operation. Once all the above are in place: There should be effective auditing systems in place which test the quality of management systems and ensure that these systems are actually being used on the ground and are effective. At the core of managing a major hazard business should be clear and positive process safety leadership with board-level involvement and competence to ensure that major hazard risks are being properly managed. 5 of 36 pages

6 Introduction 1 Following the explosion and fire at Buncefield in December 2005 the Health and Safety Commission set up an independently chaired Major Incident Investigation Board (MIIB) led by Lord Newton of Braintree. The Board was given a wide-ranging set of objectives within its terms of reference and published a series of eight reports before its final report in Details of the Board s work and its recommendations can be found at 2 Legal constraints prevented the Board from publishing certain information about the root causes of the incident while criminal proceedings were in progress. These proceedings have now concluded and this document fills that gap. It addresses the root causes behind the loss of containment of fuel on 11 December It draws out the key lessons for those managing high-hazard industries. 3 This publication is based on the work of the COMAH Competent Authority Investigation Team over four years of investigation and is a summary of the conclusions. It would be impracticable to repeat all the painstaking work upon which the conclusions are based, much of which formed the evidence in the criminal trial. 6 of 36 pages

7 The Buncefield oil storage depot 4 The Buncefield oil storage and transfer depot is a tank farm in Hemel Hempstead, Hertfordshire, England, close to Junction 8 of the M1 motorway. In December 2005 there were three operating sites at the depot: Hertfordshire Oil Storage Ltd (HOSL), a joint venture between Total UK Ltd and Chevron Ltd and under the day-to-day management of Total UK Ltd. HOSL (the site) was divided into East and West sites; British Pipeline Agency Ltd (BPA), a joint venture between BP Oil and Shell Oil UK, though assets were owned by UK Oil Pipelines Ltd (UKOP). This tank farm was also in two parts, the north section and the main section which was located between HOSL East and West; and BP Oil UK Ltd, at the southern end of the depot. Figure 1 Aerial view of the Buncefield depot before the incident Chiltern Air Support 5 All three sites were top-tier sites under the Control of Major Accident Hazards Regulations 1999 (COMAH). In total the depot had hazardous planning consent to store tonnes of hydrocarbon fuels. 6 Fuel was transported to these sites through three pipelines: the Finaline between Lindsey Oil Refinery, Humberside and the HOSL West site; UKOP North line between Stanlow Oil Refinery, Merseyside and BPA; and UKOP South line between Coryton Oil Refinery, Essex and BPA. 7 of 36 pages

9 7 The pipelines all transported fuels in batches. At Buncefield the various grades of fuel were separated into dedicated tanks according to the fuel type. The majority of fuel was then taken from the depot by road tankers. Jet aviation fuel left the BPA site via two pipelines to the West London Walton Gatwick pipeline system then distributed to Heathrow and Gatwick airports. 8 The site was therefore of strategic importance for the distribution of fuels to London and the south-east of England and was the fifth largest fuel distribution site in the UK. 9 The Maylands Industrial Estate, one of the largest in south-east England, is immediately to the west of the Buncefield depot. 10 The depot is sited on a variable layer of clay with flints, 2 to 10 metres thick, over the Upper Chalk stratum. The Upper Chalk is classified as a major aquifer that provides drinking water as well as other uses including private abstractors, agriculture and industry. 9 of 36 pages

10 The incident and its aftermath Bund A HOSL West Lagoon Cherry Tree Farm Lagoon N Flow from site to Hogg End Lane and M1 Pooled areas Flowing Bund B Figure 3 Layout of the Buncefield site showing flow of liquids 11 A parcel of unleaded petrol was being delivered through the UKOP South line into HOSL s Tank 912 from 1850 hrs on Saturday 10 December The tank, which had a capacity of 6 million litres, was fitted with an automatic tank gauging system (ATG) which measured the rising level of fuel and displayed this on a screen in the control room. At 0305 hrs on Sunday 11 December the ATG display flatlined, that is, it stopped registering the rising level of fuel in the tank although the tank continued to fill. Consequently the three ATG alarms, the user level, the high level and the high-high level, could not operate as the tank reading was always below these alarm levels. Due to the practice of working to alarms in the control room, the control room supervisor was not alerted to the fact that the tank was at risk of overfilling. The level of petrol in the tank continued to rise unchecked. 10 of 36 pages

11 12 The tank was also fitted with an independent high-level switch (IHLS) set at a higher level than the ATG alarms. This was intended to stop the filling process by automatically closing valves on any pipelines importing product, as well as sounding an audible alarm should the petrol in the tank reach an unintended high level. The IHLS also failed to register the rising level of petrol, so the final alarm did not sound and the automatic shutdown was not activated. By 0537 hrs on 11 December, the level within the tank exceeded its ultimate capacity and petrol started to spill out of vents in the tank roof. 13 CCTV evidence showed that soon after that a white vapour was seen to emanate from the bund around the tank. In the windless conditions this vapour cloud, which was likely to have been a mixture of hydrocarbons and ice crystals, gradually spread to a diameter of about 360 metres, including areas off the HOSL site. This included a car park on the Maylands Estate, and onto the BPA north site where Tank 12, containing aviation kerosene, was situated. 14 The vapour cloud was noticed by members of the public off site and by tanker drivers on site waiting to fill their vehicles. They alerted employees on site. The fire alarm button was pressed at 0601 hrs, which sounded the alarm and started the firewater pump. A vapour cloud explosion occurred almost immediately, probably ignited by a spark caused by the firewater pump starting. By the time the explosion occurred, over litres of petrol had escaped from the tank. Figure 4 Firefighters tackle a blazing tank at Buncefield Hertfordshire County Council 15 The severity of the explosion was far greater than could reasonably have been anticipated based on knowledge at the time and the conditions at the site. The devastation was enormous. Fortunately there were no fatalities but over 40 people were injured. The ensuing fire, the largest seen in peacetime UK, engulfed over 20 fuel tanks on the HOSL and adjacent sites and burnt for several days. Fire crews attended from many parts of the country. Fuel and firefighting chemicals flowed from leaking bunds down drains and soakaways, both on and off site. The environmental, social and economic toll was considerable. The human toll should not be underestimated; while no one lost their life some have yet to fully recover from the effect that the explosion had on their lives. The human effects may have been even greater had the event not occurred early on a Sunday morning when the adjacent industrial area was relatively quiet. 11 of 36 pages

12 Root causes of the loss of containment 18 The immediate cause of this major incident was the failure of both the ATG and the IHLS to operate as the fuel level in Tank 912 increased. This was a loss of primary containment. 19 During and following the fire there were subsequent failures of secondary and tertiary containment. So what lay behind the immediate cause and subsequent failures of containment? In other words, what in terms of the overall management of operations at this high-hazard site led to these failures? What, in the processes and systems, failed to deliver the necessary high level of control of site operations? Understanding these root causes will allow those managing high-hazard industries to learn from the experience of Buncefield. The independent high-level switch 20 Tank 912 was fitted with a new independent high-level switch on 1 July This had been designed, manufactured and supplied by TAV Engineering Ltd. TAV had designed the switch so that some of its functionality could be routinely tested. Unfortunately, the way the switch was designed, installed and maintained gave a false sense of security. Because those who installed and operated the switch did not fully understand the way it worked, or the crucial role played by a padlock, the switch was left effectively inoperable after the test. (A fuller description is in Appendix 1.) Designers of equipment for use in high-hazard operations should have systems in place to ensure that the equipment is safe so far as is reasonably practicable. 21 The design fault could have been eradicated at an early stage if the design changes had been subjected to a rigorous review process. In any event, clear guidance, including instructions about the safety criticality of the padlock, should have been passed on to installers and users. 22 TAV was aware that its switches were used in high-hazard installations and therefore were likely to be safety critical. Designers and suppliers should have adequate knowledge of the environments where their equipment will be used. 23 The impact of these defects in switch design, and the failure to inform users and suppliers of the change in criticality of the padlock, could have been reduced by those further down the supply chain. Motherwell Control Systems 2003 Ltd ordered the IHLS from TAV but the ordering process by both parties fell short of what would be expected for safety critical equipment intended for such a high-hazard environment. The information TAV provided did not give sufficient clarity about the key aspects of the IHLS design and use, and TAV should have enquired as to the intended purpose of the switch and formed a view as to its suitability in this case for a high-level only application. Motherwell staff were highly experienced in this field although the company itself had only recently come into existence as the result of a management buy-out. However, their systems for checking and understanding equipment again fell short of the mark. 13 of 36 pages

13 24 It appears that nobody within Motherwell knew the safety critical significance of the padlock. The IHLS on Tank 912 was installed without the padlock because it seems that Motherwell staff thought it was for security anti-tamper purposes only. After the periodic tests, the lever was left unsecured either in the inoperable position or so that it could fall into that position. While they ought to have been able to rely on TAV to tell them, Motherwell staff equally should have known better. The elements of Motherwell s failure were: The process for ascertaining and then specifying the requirements of switches they supplied and/or installed was not adequate. They did not obtain the necessary data from the manufacturer and it follows that they did not provide such data to their customers. They did not understand the vulnerabilities of the switch or the function of the padlock. There was a reliance on TAV, which was not justified given the lack of information provided and the critical role that Motherwell had in installing safety critical equipment. 25 In addition to the failures of the manufacturers and installers of the IHLS, the site operator did not exercise sufficient oversight of the ordering, installation and testing procedure. While the switch was periodically tested, none of the staff at the HOSL site was aware of the need for the padlock to be replaced so that the test lever was held in the correct position. The site operator should have had greater oversight of safety critical operations and equipment so that they understood fully how it worked, particularly given the expertise available within large oil companies. The automatic tank gauging system 26 Failure of the ATG system was the other immediate cause of the incident. The servo-gauge had stuck (causing the level gauge to flatline ) and not for the first time. In fact it had stuck 14 times between 31 August 2005, when the tank was returned to service after maintenance, and 11 December Sometimes supervisors rectified the symptoms of sticking by raising the gauge to its highest position then letting it settle again, a practice known as stowing. On other occasions Motherwell was called in to rectify the matter, although the definitive cause of the sticking was never properly identified. Sometimes the sticking was logged as a fault by supervisors and other times it was not. 27 The failure to have an effective fault logging process and the lack of a maintenance regime that could reliably respond to those faults were two of the most important root cause managerial and organisational failures underlying the incident. Further, Motherwell staff never saw that the unreliable gauge should be investigated. They did not analyse why they had been called out so frequently nor questioned the reliability of the system. Other shortcomings 28 The system also had other shortcomings that could fairly easily have been remedied: Monitoring screen 29 There was only one visual display screen for the data provided by the ATG system on a number of tanks which meant that the status of only one tank could be fully viewed at a time. On the night of the incident the display relating to Tank 912 was at or near the back of a stack of four other tank display windows. Only one computer was provided, with no back up, to run the entire ATG system. The supervisors relied heavily on the ATG system to control tank filling so having no back up for this critical control process was inadvisable. 14 of 36 pages

14 Redundant emergency shutdown 30 The tank mimics on the screen showed a red stop emergency shutdown button. Use of this was meant to close all tank side valves. Unbeknown to a number of the supervisors this was not working and had never been fitted into the system. Had it worked it may have provided a useful emergency procedure although it may have taken several minutes for the valves to close. This issue is indicative of poor management control where supervisors did not appreciate the redundancy of the stop button and Motherwell staff never tested it. This meant that there was no proactive facility on the site to close down two (UKOP) of the three incoming pipelines. The Finaline had an emergency shutdown button accessible in the site control room. System security 31 While there is no indication that it had any bearing on the incident, the security arrangements on the ATG system were lacking. It had its own built-in security system but this had been set so that all control room staff could modify any parameter including being able to change the alarm settings. Alarm function 32 Later versions of the ATG system had the ability to be set to alarm in the event of inconsistencies between tank level measurements and filling data, which would have provided a way of alerting control room staff to an unexpected static reading. Had such a modification been made then supervisors may have been made aware of the sticking gauge before an overfill position was reached. A more stringent monitoring scheme could have identified the shortcomings and allowed the site operator to upgrade the ATG system. 15 of 36 pages

15 Wider underlying causes 33 The sticking gauge and inoperative IHLS were the technical causes of the overfilling of Tank 912, and were a consequence of the underlying management failures set out below. Control of incoming fuel 34 It is essential to understand the significant difference for the supervisors in the way they controlled receipt of fuel batches from the Finaline and the two UKOP lines. The Finaline was controlled by the supervisors, while for historical reasons the UKOP lines were controlled from elsewhere. 35 There was also a stark contrast in the information available to them about the three pipelines. For the two UKOP lines the HOSL supervisors did not have access to the SCADA monitoring systems to tell them, independently of the ATG system: whether the UKOP lines were on or off line; and if online, the flow rate. 36 In theory the UKOP flow rates could be determined from the speed at which the tank was filling. This was not an easy task because tanks could be filling from the pipeline while simultaneously feeding the tanker bays. More than one tank could be filling at any one time and flow rates were likely to vary according to external factors. Advance planning of deliveries from the UKOP lines would have been difficult and sometimes well nigh impossible. Significantly, no suitable advance planning system was in place. Changes in flow rates were significant and sometimes the HOSL supervisors were not informed. For example, shortly before the explosion, the flow rate in the UKOP South line changed from 550 m 3 /hr to 900 m 3 /hr without the knowledge of the supervisors. 37 This lack of information undermined the ability of supervisors to plan and control the management of fuel. This was exacerbated by an understanding among staff that the UKOP lines had to be given priority over the Finaline for fear of the site operator incurring a financial penalty if the UKOP lines were slowed or stopped. 38 A further example of lack of control over the UKOP lines was that the only way an emergency shutdown could be achieved was by: a telephone call to another terminal; operation of an IHLS; or activation of a manual call point on the adjacent BPA site. 39 Unsurprisingly this lack of control over the UKOP lines was unpopular with the supervisors. It contributed to the pressure under which some of them felt they had to operate. 40 Importantly, Control Room operations should have been subject to a risk assessment but none had been carried out. Increase in throughput 41 Since the early days of the terminal s operation in the late 1960s, there had been a four-fold increase in throughput of product. A significant proportion of this increase had occurred when the adjacent Shell terminal closed in 2002 and its throughput was absorbed into the HOSL terminal. This led to an inevitable increase 16 of 36 pages

16 in the number of tanker drivers and contractors on site, which clearly affected the workload of supervisors. The result was considerable pressure on ullage space with batches diverted between tanks to prevent overfilling. The necessary ullage would become available by virtue of tanks being emptied through tankers at the loading bays. 42 There is evidence to suggest that on the night of the incident the supervisors were confused as to which pipeline was filling which tank. Large batches of unleaded fuel were being received at site from both the Finaline and the UKOP South line. This confusion arose because of deficiencies in the shift handover procedures and the overlapping screens on the ATG system. Given the increased pressure that staff were under, and lack of sufficient data in the control room, such confusion is easily understood. 43 To manage the pressures, staff were working a considerable amount of overtime which was costly. To overcome this management tried to recruit a further supervisor. However, when a new member of staff was recruited it was immediately counterbalanced by the resignation of another. Tank filling procedures 44 The supervisors main duty was operating and monitoring the control systems relating to movement and storage of fuel, including control of the Finaline. A key role was the filling and emptying of tanks at HOSL. The ATG system was capable of providing supervisors with readings of a number of parameters. Supervisors viewed the ATG data on one screen and could call up screen images, one on top of another. As noted earlier, it was not possible to see the status of more than one tank at any one time. Often, three or four windows would be stacked on the computer screen, one behind another, so that the supervisor had to make a conscious decision to bring a hidden screen in to view. For level measurement the system was designed with a series of audible and visual alarms to alert the supervisor to the need to take action at various product levels within the tank. 45 Essentially there were three high level alarms. These were: the user high which could be set by the supervisor to indicate that intervention was required; the high level set at a level in the tank below its maximum working level; and the high-high level set below the level at which the IHLS was intended to operate. 46 Each of the eight supervisors used these alarm levels in their own way. For example, sometimes the level was allowed to pass the high level alarm. Less frequently, pressure on storage space meant that the level was allowed to rise to the high-high alarm and on occasions beyond even that. The supervisors relied on the alarms to control the filling process. 47 Such written work procedures as there were relating to the filling process were short on detail. They gave no guidance as to how to choose the tanks which had to be filled or in what circumstances, if any, it was appropriate to deliberately fill a tank above the high or the high-high level. If such a procedure was deemed by management to be appropriate, there was no guidance to support this, ie there was no description of: extra safeguards; reporting such events; and an effective investigation of the cause of the event. 17 of 36 pages

17 48 In summary, there was no tank filling system worth its name. Considering that this was the single most important process control system to prevent loss of containment of fuel, this was a serious management failure in the control of a major accident hazard. 49 A robust safe system of work should have been in place to ensure that all supervisors controlled tank filling in a consistent, safe way, and that when situations arose which required them to work outside the normal operating envelope, this was recorded and reviewed by management. When situations arise requiring staff to work outside the normal operating envelope they should be recorded and reviewed by management. Pressure of work 50 The tank filling system, ill defined as it was, was further undermined by the unreliability of the whole ATG system as exemplified by the gauges sticking. Supervisors also had to deal with their inability to predict the working parameters of the UKOP lines and the resulting unpredictable nature of fuel deliveries through those lines. These factors were in addition to the pressure on the storage capacity caused by increased throughput at the terminal. 51 All this added up to a system that put supervisors under considerable pressure. Supervisors developed their own systems to overcome this. For example, they introduced a small alarm clock into the control room and used this to track product interfaces on the Finaline and on occasions as an additional reminder that tanks were getting close to their full capacity. The lack of confidence in the system was also demonstrated when one supervisor asked for a back-up IHLS, as the ATG system was becoming unreliable. 52 This pressure was not helped by working patterns. Supervisors worked 12-hour shifts and had other duties as well as the constant monitoring of the filling and emptying of tanks. Supervisors were blocked to work five shifts in a row, which with overtime working sometimes led to 84 hours of working in a sevenday period. No fixed breaks were scheduled; they took a break when operating conditions allowed. Supervisors worked large amounts of overtime and resisted the employment of an additional supervisor as this would result in a loss of income. 53 Management failed to recognise these unacceptable working pressures, although when the Operations Manager offered his resignation shortly before the incident because of the pressurised environment this should have confirmed that all was not well. Management has a duty to monitor working pressures on staff and take action to keep workloads to acceptable levels so far as reasonably practicable. 18 of 36 pages

18 Inadequate fault logging 54 The investigation revealed that fault logging at HOSL, in relation to key equipment and working practices, was inadequate. The shift system of working led to short-term apparent fixing of problems with no proper overview of what was going wrong and why. 55 The handover time (overlap) for supervisors between shifts was short. It was an important time when outgoing supervisors could pass on information about events during their shift. They tried to allow 15 minutes for handover but were conscious that they were not being paid for their time. The handover documentation was designed to capture information for the Finaline only and information on the UKOP lines, if captured at all, was on an ad-hoc basis. It also only captured information at the end of the shift rather than recorded incidents that happened during the shift. 56 The Operations Co-ordinator had devised an electronic defect log but the supervisors did not use it properly. While the ATG gauge on Tank 912 had stuck 14 times during the three months before the incident, this was not recorded on the defects log and the Operations Manager was unaware of the frequency of failure. It appears that the defect logging system was not consistently used, especially where the symptoms of a defect were apparently remedied quickly, by, for example, stowing the gauge or an early visit from Motherwell. Staff on site were unaware of the extent of the unreliability of safety critical equipment, and there was no system in place for senior management to monitor key safety parameters. 57 There was a similar situation with the IHLS. Faulty procedures and practices were not properly dealt with. The failings of the ATG system meant that there was greater dependence on the IHLS; as the IHLS was frequently left in an inoperable state, there was greater reliance on the ATG. The fact that both systems could not be relied upon meant that the overall control of the tank filling process was seriously weakened. Management failed to scrutinise the combined unreliability of the ATG system and inoperable IHLS. 58 For example, by the first week of April 2004 it was known that the IHLS on Tank 912 was not working but the tank remained in use and a new switch was not fitted until 1 July Similarly, it was found that before this Tank 911, a very busy unleaded petrol tank, was operating without an IHLS for at least nine months. A thorough defect logging system, properly scrutinised by senior management, would have revealed the serious vulnerability of the overall system. Management should have in place systems to monitor the reliability of safety critical equipment. Motherwell Control Systems 59 Motherwell Control Systems was used to supply and install the IHLS and to maintain the ATG system. This was a vital contractual relationship. Its importance was underlined in an independent audit of the site. The audit report in 2004 stated that: Contract co-ordinators should be competent to perform the function, and their competence requirements should be linked to the contract risk level. At the lower level, terminal staff should be given training to become competent, whereas it may be necessary to hire in specialists for high risk contracts. 19 of 36 pages

19 60 The contract with Motherwell was clearly a safety critical arrangement and the competence and training of Motherwell staff working with critical equipment should have been evaluated. There appears to have been little if anything done in response to this comment from the auditors. Some information about Motherwell was obtained before 2000 but this was before the formation of a new company Motherwell Control Services 2003 Ltd. While Total had a contractor site performance evaluation, this was about personal protection on site and not an assessment of technical ability. 61 Where contractors are engaged to carry out work upon which the safety of many and much depends, something more rigorous than the evident casual relationship with Motherwell was called for: There should have been a formal contract in place clarifying the expectations inherent in safety critical work. There should have been an effective system of reporting and recording all significant faults and their resolution. This system should have been understood and implemented by both contractual partners. Reliable and up-to-date specifications of what was in place and what was required should have been provided. Critically, in respect of the replacement of the IHLS switches in 2004, there should have been a formal management of change process. This typically would have included an engineering assessment of the benefits and disadvantages of any such change, and a consideration of what changes in procedures (eg in testing) would be necessary as a result. For high-hazard risks dutyholders should have formal arrangements that specify the roles of all parties involved to ensure so far as is reasonably practicable that the highest standards are provided for safety critical equipment. 20 of 36 pages

20 Loss of secondary containment 62 The bunding at Buncefield had many flaws, which caused large volumes of fuel, foam and firefighting water to leak out of the bunds. Bunds were not impermeable and not fire resistant. The bunding was unable to handle the large volumes of firewater involved in the incident. 63 Generally, the concrete performed well in resisting the burning fuels but the bunds failed badly at the joints and walls where pipes penetrated them. Bund joints Any concrete structure for retention of liquids should be designed to minimise the risk of cracks forming. If cracks do form they should be adequately repaired. 64 Guidance on limiting cracking is given in BS and BS and often involves including movement joints between concrete slabs to allow for expansion and contraction. Joint design is critical to ensure liquid retention waterstops in bund expansion joints are key to their integrity and performance in containing liquids following a major accident. The joints should also be fire resistant, which can be achieved by a metal waterstop and fire-resistant sealants. The Buncefield incident also demonstrated that placing metal plates over movement joints was an effective means of improving the fire resistance of the joint. Part 4 of the Process Safety Leadership Group s (PSLG s) final report 4 provides further detail on these issues. 65 One of the bunds at Buncefield contained metal waterstops within joints. Even though this bund was exposed to a bund pool fire and tank fires, the joints performed well and did not leak significantly. Other bunds had plastic waterstops with metal plates over the inside face of the joint. These joints also maintained their integrity as the plastic waterstop and other joint material was protected from thermal impact by the metal cover plate. One bund, which was not exposed to fire but used to store liquids during the response, leaked slightly at joints where there were no waterstops, though it had been fitted with metal cover plates. 66 Within the HOSL site, three bunds bunds A, B and C performed particularly badly. The joints (floor and wall joints) did not contain waterstops. During the fire the sealant and other joint materials (which were not fire resistant) were badly damaged. Many of the joints leaked allowing fuel, foam and firewater to flow onto the site roadways. 67 HOSL could and should have identified, before the incident, that the bunds were not fit for purpose. As a top-tier COMAH operator HOSL provided a safety report in which compliance with industry codes was asserted. If HOSL had reviewed the detailed design of their bunds during the preparation of this report they would have identified that the bund joints were not impermeable and fire resistant as required by those codes. Moreover, on occasions, joint leaks were seen by staff on site. Leakages noted by staff in bund A had not been repaired by the time of the incident and HOSL had not investigated the root cause of these leaks. 21 of 36 pages

CROWD CONTROL AT VENUES AND EVENTS A PRACTICAL OCCUPATIONAL HEALTH AND SAFETY GUIDE SECOND EDITION JANUARY 2007 CONTENTS Part one: Introduction............................ 1 1.1 What does this Guide aim

Report Reflecting and moving forward Identifying that something might be wrong Outcomes and feedback Raising a concern Examining the facts February 2015 Freedom to Speak Up An independent review into creating

Right First Time June 2011 Contents Executive Summary 3 Introduction The size and scope of the problem 6 Our objectives and approach 7 Background Evidence of poor decision-making Reports 10 Evidence of

THE RIGHT TIME, THE RIGHT PLACE An expert examination of the application of health and social care governance arrangements for ensuring the quality of care provision in Northern Ireland DECEMBER 2014 Review

Taking it on trust A review of how boards of NHS trusts and foundation trusts get their assurance Health National report April 2009 The Audit Commission is an independent watchdog, driving economy, efficiency

PUBLIC ACCOUNTS AND ESTIMATES COMMITTEE SEVENTY FIRST REPORT TO THE PARLIAMENT REPORT ON PRIVATE INVESTMENT IN PUBLIC INFRASTRUCTURE OCTOBER 2006 Ordered to be printed By Authority Government Printer for

Guidelines on permit to Work (P.T.W.) systems Report No. 6.29/189 January 1993 P ublications Global experience The International Association of Oil & Gas Producers (formerly the E&P Forum) has access to

Emergency Management Guide for Business and Industry A Step-by-Step Approach to Emergency Planning, Response and Recovery for Companies of All Sizes FEMA 141/October 1993 EMERGENCY MANAGEMENT GUIDE FOR

LOCAL GOVERNMENT GOVERNANCE REVIEW 15 All aboard? Key highlights ENGAGING MEMBERS are satisfied that their organisation supports risk taking consider backbench members have no real influence over decisions

Guide for Safety with Underground Services The following utility companies, organisations and associations assisted in the production of this guide: Telecom New Zealand Ltd. DELTA Transpower New Zealand

If only I had known An evaluation of the local hospital linked pilot projects Document Purpose Title To provide evidence and information about local pilot projects which have been pioneering the integration

Time for Training A Review of the impact of the European Working Time Directive on the quality of training Professor Sir John Temple May 2010 Foreword Learning from experience; it takes too long. It often

The Human Rights Framework as a Tool for Regulators and Inspectorates Contents Foreword 5 Part 1: Introduction and Background 7 Who should use this handbook and why? 8 What is the human rights framework?

THE BRIBERY ACT2010 Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010) THE BRIBERY

Data protection Subject access code of practice Dealing with requests from individuals for personal information Contents 3 Contents 1. About this code of practice 4 Purpose of the code 4 Who should use

The Francis Report: one year on The response of acute trusts in England Research report Ruth Thorlby, Judith Smith, Sally Williams and Mark Dayan February 2014 Acknowledgements We are particularly grateful